EP2148463A2 - Dispositif de sortie réseau numérique, procédé de sortie réseau numérique, dispositif de cryptage et dispositif de décryptage - Google Patents

Dispositif de sortie réseau numérique, procédé de sortie réseau numérique, dispositif de cryptage et dispositif de décryptage Download PDF

Info

Publication number
EP2148463A2
EP2148463A2 EP09174508A EP09174508A EP2148463A2 EP 2148463 A2 EP2148463 A2 EP 2148463A2 EP 09174508 A EP09174508 A EP 09174508A EP 09174508 A EP09174508 A EP 09174508A EP 2148463 A2 EP2148463 A2 EP 2148463A2
Authority
EP
European Patent Office
Prior art keywords
array
unit
integer
output
count value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP09174508A
Other languages
German (de)
English (en)
Other versions
EP2148463A3 (fr
Inventor
Yuichi Futa
Motoji Ohmori
Kaoru Yokota
Makoto Tatebayashi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Panasonic Intellectual Property Management Co Ltd
Original Assignee
Panasonic Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Panasonic Corp filed Critical Panasonic Corp
Publication of EP2148463A2 publication Critical patent/EP2148463A2/fr
Publication of EP2148463A3 publication Critical patent/EP2148463A3/fr
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3093Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme

Definitions

  • the present invention relates to a numerical array output device that converts an integer to an array, especially relates to the numerical array output device used for an encryption technique, an error correction technique and a digital signature technique as an information security technique.
  • a private communication method is a method to have communication with a specific communication partner without leaking any communication content to anyone else.
  • a digital signature method is a communication method that justifies communication content to the partner and proves a communication originator to be the person himself/herself.
  • an encryption method called a public key encryption is used.
  • the public key encryption is a method to easily manage an encryption key varied from each communication partner when there are more than one partner, which is a mandatory and fundamental technology to communicate with multiple communication partners. To briefly explain it, the encryption key in this method is different from the decryption key, and the decryption key is treated as private whereas the encryption key is in public.
  • the public key encryption is described in detail in " Modern Encryption", Industry Book 1997 written by Tatsuaki Okamoto and Hiroshi Yamamoto (hereinafter referred to as "Literature 1").
  • NTRU encryption As one of the public key encryption, there is encryption called as NTRU encryption.
  • a code of the encryption is small in size compared with one of an elliptic curve encryption. It is installable in a low-performance CPU such as one used for domestic appliances. Therefore, this encryption method has a great potentiality in the future.
  • f(X) is to be expressed in relation with an n-dimensional vector (f 0 , f 1 , f 2 ⁇ ,f N-1 ). Also, among this n-dimensional vector, the vector showing n 1 piece(s) of 1, n 2 piece(s) of -1, and other (n-n1-n2) piece(s) of 0 is expressed as L (n, n1, n2).
  • a private key the decryption keys treated as a private key (hereinafter referred to as a private key), f (v) and Fp (v) are expressed with a following formula.
  • a code attached with (v) such as f (v) and Fp (v) indicates a polynomial.
  • a set of polynomials Lf is a set of polynomials having 51 pieces of 1, 50 pieces of -1 and 162 pieces of 0 in its factor f 0 , f 1 , f 2 ⁇ , f N - 1 .
  • the private key f is a polynomial that belongs to the set of polynomials Lf.
  • p is an integer such as 3.
  • h (v) is expressed in a following formula.
  • Polynomial g(v) ⁇ a set of polynomials Lg L (263, 24, 24)
  • the public key h (v) here is a polynomial. Also, q is, for example, an integer of 2 7 .
  • NTRU encryption In the NTRU encryption, encryption is executed based on a following formula by using this public key h (v). In this encryption, an encryption text e1 (v) is output for an input of a message m1 (v).
  • the polynomial ⁇ (v) is selected at random from a set of polynomials L ⁇ .
  • the encryption text e1 (v) is decrypted through following two steps with using above private keys f (v) and Fp (v), and a message m1' (v) is acquired.
  • the encryption with this FOSRT is executed through following 3 steps, and the encryption text E is output for an input of the message M.
  • a random number R1 is concatenated to the message M, and the concatenated message M ⁇ R1 is acquired.
  • a hash function value ha for the message M ⁇ R1 is acquired based on the hash function.
  • Ha H M ⁇ R ⁇ 1
  • ha ′ H M ⁇ R ⁇ 1 ′
  • Encryption is executed based on the message M ⁇ R1', the hash function value ha' and the algorithm same as one used for the above encryption, and an encryption text E' is acquired.
  • E ⁇ Enc M ⁇ R ⁇ 1 ⁇ ⁇ , ha ⁇
  • the encryption is executed through 3 steps, and the encryption text e (v) is output for the input of the message M (v).
  • a random vector R (v) is concatenated to the message M (v), and the message m (v) is acquired.
  • m(v) M(v) ⁇ (v)
  • a hash function value H (m (v)) of the message m (v) is calculated based on the hash function.
  • the hash function values, H (M(v)) and H (m'(v)) are required to belong to a set of polynomials L ⁇ , for example expressed as L (263, 16, 16) .
  • the set of polynomials, L ⁇ is associated with a set of vectors having 16 pieces of 1, 16 pieces of -1 and 231 pieces of 0 among its factor f 0 , f 1 , f 2 ⁇ , f N-1 .
  • the n-dimensional array consisting of three values, i.e. 16 pieces of 1, 16 pieces of -1 and 231 pieces of 0.
  • H (m (v) and H (m' (v)) are an integer.
  • the n-dimensional array which has n 1 piece(s) of 1, n2 piece(s) of -1 and other element(s) being -1 based on the hash function values, H (m (v)) and H (m' (v)) must be obtained.
  • H (m (v)) and H (m' (v)) must be obtained.
  • Fig. 1 is a flow chart to show the method to get the n-dimensional array.
  • This conversion method inputs n1, n2 and an integer X as a hash function value, and outputs the n-dimensional array VJ having n1 piece(s) of 1, n2 piece(s) of -1, and the other (n-n1-n2) piece(s) of 0.
  • VJ [i] N.B. "i" is an integer from 1 to n.
  • Step S901 At first, let all of elements of the array VJ be an array of 0 (Step S901).
  • the present invention is executed based on consideration of above problems, and aims at providing an array output device that outputs a well-balanced n-dimensional array based on an integer value such as an output value of a hash function value without using so much memory.
  • the array output device is a numerical array output device that outputs various n-dimensional arrays consisting of n K-value integers, each of which is one of K kinds of integers, depending on an input integer, comprising: an initial array decision unit operable to tentatively decide an initial array; and a changing unit operable to change an array element of the initial array decided by the initial array decision unit into the n-dimensional arrays based on the input integer.
  • the n-dimensional array based on the integer can be evenly acquired, and it makes it possible to acquire the n-dimensional array at the same time retaining uniformity based on the integer values evenly distributed such the hash function value, etc.
  • the numerical array output device here may be an array output device, wherein the initial array decision unit tentatively decides one of the n-dimensional arrays consisting of the n K-value integers as the initial array, and the changing unit replaces the array element of the initial array decided by the initial array decision unit based on the input integer, and outputs the replaced initial array.
  • the above array output device may be an array output device, wherein the initial array decision unit tentatively decides, as the initial array, an array, in which all of the array elements are the K-value integer P3, and the changing unit replaces the array element, which is located at a position based on the input integer among the array element of the integer P3 in the initial array decided by the initial array decision unit, with the other integer P1 of the K-values, and outputs the replaced initial array.
  • the changing unit includes a split unit operable to split the input integer into individual split information consisting of a specific number of bit information, and a third integer placement unit operable to replace the array element, which is located at a position based on the split information among the array element of the integer P3 in the initial array, with other integer P1 of the K-values.
  • a numerical array output method for outputting various n-dimensional arrays consisting of n K-value integers, each of which is one of K kinds of integers, depending on an integer input, including: an initial array decision step for tentatively deciding an initial array; and a changing step for changing an array element of the initial array decided by the initial array decision step into the n-dimensional arrays based on the input integer.
  • the encryption device of the present invention is a device that encrypts a message comprising: a function value output unit operable to calculate the message with a one-way converting function and output its result as a function value; a numerical array output unit including an initial array decision unit that tentatively decides an initial array and a changing unit that changes an element of the initial array decided by the initial array decision unit into an n-dimension array based on the function value output by the function value output unit, and operable to output various n-dimensional arrays consisting of n K-value integers, each of which is one of K kinds of integers, depending on the function value; and an encryption text generation unit operable to generate an encryption text based on the array output by the numerical array output unit.
  • Fig. 2 (a) is a block diagram to show structure of the encryption device related to the first embodiment of the present invention.
  • the encryption device 10 includes a random number generation device 20, a concatenation unit 30, a hash function unit 40, an array output unit 100 and an encryption text generation unit 50, which generates an encryption text e (v) based on a message M (V) acquired and a public key h (v).
  • a symbol (v) such as a message M (v), a public key h (v) and an encryption text e (v) indicates a polynomial. Also, the same symbols are used for those same as conventional examples.
  • the random number generation unit 20, the concatenation unit 30, the hash function unit 40, the array output unit 100, and the encryption text generation unit 50 composing this encryption device 10 execute processes respectively through a software of a microcomputer, and those processes are executed by using CPU and memories.
  • this encryption device 10 applies FOSRT, a security proof scheme to the NTRU encryption and generates encryption having a higher security level of the NTRU encryption.
  • the random number generation unit 20 generates a random vector R (v).
  • the concatenation unit 30 concatenates the vector R (v) generated by the random number generation unit 20 with a message M (v), generates a message m (v), and outputs it to the hash function unit 40 and the encryption text generation unit 50.
  • the hash function unit 40 operates the message m (v) with the hash function, which is a one-way function, to produce a hash function value H (m) and outputs it to the array output unit 100.
  • the hash function is the one-way function
  • the hash function value H (m) output from the hash function unit 40 is an integer that is hereinafter referred to as an integer X.
  • the array output unit 100 generates the n-dimensional array V based on the integer X output from the hash function unit 40 and outputs it to the encryption text generation unit 50.
  • p and q are an integer, for example p is 3 and q is 2 7 .
  • Fig. 2 (b) is a block diagram to show structure of the decryption device related to the first embodiment in the present invention.
  • This decryption device 15 contains a decryption unit 25, a hash function unit 45, an array output unit 105, an encryption text generation unit 55, a decision unit 65 and a split unit 35, which decrypts the encryption text e (v), which is encrypted by the encryption device 10, based on the input encryption text e (v), a private key f (v), Fp (v) and a public key h (v), and outputs the original message M' (v).
  • the decryption unit 25, the hash function unit 45, the array output unit 105, the encryption text generation unit 55, the decision unit 65 and the split unit 35 composing this decryption device 15 execute processes respectively through the software of the microcomputer, and those processes are done by using CPU and memories.
  • the decryption unit 25 acquires the message m' (v), which is a decryption value corresponding to the original message, from the encryption text e (v) input based on following formulas.
  • the hash function unit 45 calculates the hash function value H (m') of the message m' (v), and outputs it to the array output unit 105.
  • the hash function value H (m') output from the hash function unit 45 is an integer, which is hereinafter referred to as an integer X'.
  • the array output unit 105 generates the n-dimensional array V' based on the integer X' output from the hash function unit 45 and outputs it to the encryption text generation unit 55.
  • the decision unit 65 inputs the encryption text e (v) and the encryption text e' (v), decides whether both are consistent, and outputs the message m' (v) to the split unit 35 if decided to be consistent.
  • the split unit 35 divides the message m' (v) from the decision unit 65 into a message M' (v) and a random vector R' (v), and outputs the original message M' (v).
  • the array output unit 100 in the encryption device 10 is explained with reference to diagrams. Because the array output unit 105 in the decryption device 15 has the same structure as the array output unit 100 and performs the same action, its explanation is omitted.
  • Fig. 3 is a block diagram to show structure of the array output unit 100.
  • This array output unit 100 uses the integer X as its input and output an array V that belongs to L (n, n1, n2).
  • L (n, n1, n2) here is the entire n-dimensional array having n1 piece(s) of 1, n2 piece(s) of -1 and other (n-n1-n2) piece(s) of 0, and these n, n1 and n2 are preset in the array output unit 100.
  • the array output unit 100 consists of an initial array decision unit 110 and an array element replacement unit 120.
  • the initial array decision unit 110 is to make an initial decision of the array V and generates the following initial decision array V1.
  • V ⁇ 1 i 1 1 ⁇ i ⁇ n ⁇ 1
  • V ⁇ 1 i - 1 ⁇ n ⁇ 1 + 1 ⁇ i ⁇ n ⁇ 1 + n ⁇ 2
  • V ⁇ 1 i 0 ⁇ n ⁇ 1 + n ⁇ 2 + 1 ⁇ i ⁇ n
  • V1[i] is the i th (i is an integer from 1 to n) array element (element) (from left) of the initial decision array V1.
  • Fig. 4 is a diagram to show an array status of the array V in each phase of the array output unit 100.
  • the array status on the top shows the initial decision array V1 decided by the initial array decision unit 110.
  • the array element replacement unit 120 inputs the initial decision array V1 output from the initial array decision unit 110 and the integer X, and outputs the n-dimensional array V having n1 piece(s) of 1, n2 piece(s) of -1 and other (n-n1-n2) piece(s) of 0. That is to change an array element of the initial decision array V1 decided by the initial array decision unit 110.
  • Fig. 5 is a flow chart to show processes executed by the array element replacement unit 120.
  • a value of a counter c' be a count value c in below.
  • the array element replacement unit 120 substitutes the integer X for an argument Y and substitutes the array V for the initial decision array V1. It means that it substitutes V1 [i] for V [i] for all of i (i is an integer from 1 to n.) (Step S101).
  • the array element replacement unit 120 sets the count value c of the counter c' to n (Step S102).
  • the array element replacement unit 120 regards tmp ⁇ V[c] (Step S104). That is to substitute the c th element V[c] of the array V for a register tmp.
  • the array element replacement unit 120 regards V[c] ⁇ V[R+ 1](Step S105). That is to substitute the (R+1) th element of the array V for the c th element of the array V.
  • the array element replacement unit 120 regards V[R+1] ⁇ tmp (Step S106). That is to substitute the content of the register tmp for the (R+ 1) th element of the array V.
  • the c th element and (R+1)th element are replaced.
  • the array element replacement unit 120 substitutes the quotient S for the argument Y (Step S107).
  • the array element replacement unit 120 validates whether the count value c is 2 or not (Step S108). If the count value c is validated to be 2 (Yes in Step S108), the array element replacement unit 120 outputs the array V (Step S110) and terminates the process.
  • Step S109 the array element replacement unit 120 validates the count value c is not 2 (No in Step S108)
  • R for its remainder Step S103.
  • the initial array decision unit 110 at first decides the initial decision array V1 of the n-dimensional array having n1 piece(s) of 1, n2 piece(s) of -1 and other being 0, and outputs it to the array element replacement unit 120.
  • the array element replacement unit 120 acquires the initial decision array V1 output from the initial array decision unit 110 and the integer X input to the array output unit 100, replaces each element of the initial decision array V1 based on the integer X, and outputs the n-dimensional array V having n1 piece(s) of 1, n2 piece(s) of -1 and other element(s) being 0.
  • the array element replacement unit 120 replaces the (R+1) th element in the array V, meaning the fifth element "-1" with the eighth element "0"(Step S104 ⁇ Step S106) and creates the array status indicated in the array V2 in Fig. 4 .
  • the array element replacement unit 120 substitutes 4919 for the argument Y (Step S107).
  • the array element replacement unit 120 replaces the sixth element "0" with the seventh element “0" from left in the array V (Step S104 ⁇ Step S106), and creates the array status indicated in the array V3 in Fig. 4 .
  • the array element replacement unit 120 elements of the initial decision array V1, are replaced.
  • the following focuses in detail on elements of the initial decision array V1 replaced by the array element replacement unit 120.
  • Step S104 A significance of the actions in Step S104, Step S105, Step S106 (hereinafter referred to as "a replacement process when the count value c is n") is that the n th element V1 [n] in the initial decision array V1 is replaced by the (R_n+1) th element V1 [R_n+1].
  • R_n here is the remainder when the argument Y is divided by n so that it can be some number from 0 to n-1.
  • When the count value c is n-1
  • the n-1 th element of the array V which is in the status where the replacement process is just completed when the count value c is n, is replaced with the (R_(n-1)+1) th element.
  • R_(n-1) here is the remainder when the argument Y is divided by the counter value (n-1)
  • the value can be some number from 0 to n-2. Therefore, the (n-1)th element of the array V, which is in the status the replacement process when the count value c is n-1 is just completed, is the (R_(n-1)+1)th element of the array V at the point when the replacement process is just completed when the count value c is n.
  • the n th element of the array V in the status the replacement process is completed when the count value c is n is not treated as a subject for replacement.
  • a case the count value c is n-2 or below is taken into account. In such a case, it is the same as the case when the count value c is n-1.
  • the i th element of the array V in the status the replacement process is completed when the count value c is i is the (R_i+1) th element of the array V in the status the replacement process is completed when the count value c is (i+1). Note that the replacement process when the count value c is (i+1) is executed before the replacement process when the count value c is i. After this point, the i th element of the array V will never be replaced by other values. Because if j ⁇ i-1, R_j is the remainder when the argument Y is divided by j so that it satisfies R_j ⁇ j-1. Consequently, it becomes (R_j +1) ⁇ i-1 ⁇ i.
  • the integer X is an integer that satisfies 0 ⁇ X ⁇ (n ! -1).
  • the value of the argument Y in Step 5103 when the count value c of the counter c' is c, is Y_c
  • the quotient S is S_c
  • the remainder R is R_c (the value of R_c is as defined as before.).
  • Step S107 0 ⁇ R_c ⁇ (c-1) .
  • Step S107 0 ⁇ R_c ⁇ (c-1) .
  • Y_ c - 1 S_c
  • R_i here is an integer that satisfies 0 ⁇ R_i ⁇ i-1. From the integer X, it is obvious that R_2, R_3, ⁇ , R_(n-2), R_(n-1), R_n are decided uniquely. Also, the other way around is apparent. Therefore, the relationship between the integer X being 0 ⁇ X ⁇ (n ! -1) and R_2, R_3, ⁇ , R_(n-2), R_(n-1), R_n is 1 to 1. ⁇ Relationship between series and replacement
  • each element of the initial decision array V1 is replaced according to the integer X to output the array V.
  • its replacement is decided by series of R_n, R_(n-1), R_(n-2), ⁇ , R_3, R_2. Because the n th element of the array V at the time of the replacement process completion when the count value c is n is the (R_n+1)th element of the initial decision array V1. From this point, the n th element of the array V will not be replaced.
  • the n th element of the array V at the time of the replacement process completion when the count value c is i is the (R_i+1) th element of the array V at the time of the replacement process completion when the count value c is (i+1).
  • the i th element of the array V will not be replaced, which means from the n th element to the i th element of V, the elements will not be changed.
  • the array V at the time of the replacement process completion when the count value c is (i+1) is decided by the series R_n, R_(n-1), ⁇ , R_(i+1).
  • the replacement method for n piece(s) of elements of the initial decision array V1 is regarded to be "n piece(s) of original replacement".
  • n piece(s) of original replacement its replacement can be realized by the above processing content in the array element replacement unit 120. It is explained as follows.
  • an ordered string which is a result of replacing n piece(s) of sequential element V[1], V[2], ⁇ ,V[n] as its input, is used.
  • one replacement is expressed as follows. V ⁇ ⁇ 1 , V ⁇ ⁇ 2 , ⁇ , V ⁇ n
  • the value of ⁇ n is decided by the above R_n.
  • the value of ⁇ (n-1) is decided by values of R_n and R_(n-1), and it is apparent that it is evenly selected from all values other than ⁇ n.
  • the value of ⁇ i is decided by R_n, R_(n-1), ⁇ , R_(i+1), and it is decided from all values other than ⁇ n, ⁇ n-1), ⁇ , ⁇ (i+1). Therefore, according to the above array element replacement unit 120, the replacement method for the entire initial decision array V1 is decided. Consequently, it is understood that a relationship of the replacement method between the integer X being 0 ⁇ X ⁇ (n !
  • each element of the initial decision array V1 is composed of n1 piece(s) of 1, n2 piece(s) of -1 and (n-n1-n2) piece(s) of 0. If the placement set of n1 piece(s) of 1 is identical in the array V output, the value of the array V is also identical. The same can be applied to n2 piece(s) of -1 and (n-n1-n2) piece(s) of 0. The following explains how frequently the same output array may happen to be output.
  • n1 piece(s) of 1 in ⁇ 0 (V1) stays the same as the value of ⁇ 0 (V1) even if its position is replaced. In the same way, the result of ⁇ 0 (V1) is not changed even if positions are replaced for n2 piece(s) of -1 and (n-n1 -n2) of 0. However, if a position of 1 is replaced with a position of 0, or if the position of 1 is replaced with a position of -1, the result of ⁇ 0 (V1) will be different. Therefore, any possible ⁇ 1 exists only for a combination of position replacement in n1 piece(s) of 1 and n2 piece(s) of -1 and (n-n1 -n2) piece(s) of 0.
  • n1 piece(s) of 1 Because there are n1 piece(s) of 1, it has (n1) ! types. In the same way, for the replacements of n2 piece(s) of -1 and (n-n1-n2) piece(s) of 0, there are (n2) ! types and (n-n1-n2) ! types available for each. Therefore, there are (n1) ! ⁇ (n2) ! ⁇ (n-n1-n2) !types of ⁇ 1.
  • the array output unit 100 in the first embodiment can convert n ! types of integer X in n ! / ((n1) ! ⁇ (n2) ! ⁇ (n-n1-n2) ! types of replacements. Also, previous discussion reveals that its uniformity is decided by n1 and n2 regardless of replacement types.
  • the array output unit 100 can evenly output the n-dimensional array based on the input integer X. Also, according to above explanation, it is apparent that the array output unit 100 always performs the same output for the same input.
  • the array output unit 100 can evenly output the n-dimensional array based on the input integer X. Because of this, in the case FOSRT is applied to the NTRU encryption, the array output unit 100 can evenly output the n-dimensional array based on the hash function value H (m) output from the hash function unit 40. It is possible to retain the uniformity of the hash function distributed by the hash function unit 40. Therefore, the encryption device 10 can generate the encryption text e (v) at a high security level.
  • the array output unit 100 sets the array V only based on the integer X, it does not require using a memory table and only requires a little memory.
  • the array output unit 105 of the decryption device 15 in Fig. 2 (b) has the same structure as the array output unit 100, it is possible to decrypt the encryption text encrypted by the encryption device 10.
  • each unit composing the encryption device 10 and the decryption device 15 is supposed to be done through the software of the microcomputer, it may also be activated by hardware such as an electric circuit or an IC.
  • the structure is not only limited to the presumed structure that outputs the array based on the hash function value with using the array output unit 100 on the encryption device 10.
  • the array output unit 100 indicated in Fig. 3 includes the initial array decision unit 110 and the array element replacement unit 120, which has structure that the array element replacement unit 120 replaces each element of the initial decision array V1 decided by the initial array decision unit 110 based on the integer X; however: it may be an array output unit (hereinafter referred to as an array output unit 100a) having structure that executes the same process as the array element replacement unit 120, which inputs the integer X and the preset initial decision array V1, replaces the initial decision array V1 based on the integer X, and outputs the array V.
  • an array output unit 100a having structure that executes the same process as the array element replacement unit 120, which inputs the integer X and the preset initial decision array V1, replaces the initial decision array V1 based on the integer X, and outputs the array V.
  • the array output unit 100a structured in this way executes the same process as the array element replacement unit 120, it can retain the uniformity of the hash function distribution, does not use a table, and replaces the array V1 only from the integer X information. Therefore, it does not require a vast amount of memory.
  • the array output unit 100a may be an encryption device or an encryption method, which uses the integer X as a key, the initial decision array V1 as a message, and the array V as an encryption text. Furthermore, it may also be an encryption device or an encryption method, which uses the array output unit 100a.
  • the encryption device in the present embodiment is an array output unit 200 having different structure from the array output unit 100 compared with the encryption device 10 in Fig. 2 (a) . Since structure of other parts is in common, their explanation is omitted.
  • Fig. 6 is a block diagram to show the structure of the array output unit 200 in the present embodiment.
  • This array output unit 200 inputs the integer X and outputs the array V20 that belongs to L (n, n1, n2) .
  • L (n, n1, n2) here indicates the entire n-dimensional array having n1 piece(s) of 1, n2 piece(s) of -1 and other (n-n1-n2) piece(s) of 0, and n, n1, n2 are preset to the array output unit 200.
  • the array output unit 200 consists of a first number placement unit 210 and a second number placement unit 220, which executes processes in the same way as the array output unit 100 through the software of the microcomputer or hardware such as an electric circuit.
  • the first number placement unit 210 uses the integer X as its input and outputs the n-dimensional array V10, which has n1 piece(s) of 1 and other element(s) of 0, and the integer X1, which is resulted by a specific calculation on the integer X, to the second number placement unit 220.
  • the first number placement unit 210 tentatively decides an array element having all array elements being 0, and changes the array elements of 0 to 1 based on the integer X.
  • the second number placement unit 220 inputs the array V10 output from the first number placement unit 210 and the integer X1, and outputs the n-dimensional array V20 having n1 piece(s) of 1, n2 piece(s) of -1 and other (n-n1-n2) piece(s) of 0.
  • the second number placement unit 220 here changes the array element with 0 in the array output by the first number placement unit 210 to -1.
  • Fig. 7 is a flow chart to show the process executed by the first number placement unit 210.
  • the first number placement unit 210 executes the process in the following steps.
  • the i th element (from left) in the array V10 is to be V10 [i].
  • a value of the counter c1' is to be a count value c1
  • a value of the counter c2' is to be a count value c2.
  • Fig. 8 shows an array status at each phase of the array V10 in the first number placement unit 210.
  • the first number placement unit 210 substitutes the integer X for an argument Y1 (Step S201).
  • the first number placement unit 210 makes all of the elements in the array V10 to 0 (an integer P1) (Step S202).
  • the initial array is decided at this point.
  • the first number placement unit 210 sets the count value c1 of the counter c1' to 1 (Step S203).
  • the first number placement unit 210 sets the count value c2 of the counter c2' to n (Step S204).
  • the first number placement unit 210 produces a quotient S and a remainder R of the argument Y1 (dividend) divided by the count value c2 (divisor) (Step S205).
  • the first number placement unit 210 sets the (R+1) th element from left in the elements with 0 in the array V10 to 1 (integer P2)
  • the first number placement unit 210 substitutes the quotient S for the argument Y1 (Step S207).
  • the first number placement unit 210 repeats from the process to get the quotient S and the remainder R until the count value c1 of the counter c1' becomes n1 (Step S205) to the process to increment the count value c1 and decrement the count value c2 (Step S209). Then, when the count value c1 of the counter c1' becomes n1, i.e. when the number of 1 among the elements in the array V10 has become n1 piece(s), the first number placement unit 210 outputs the array V10 to the second number placement unit 220.
  • the first number placement unit 210 substitutes 5644 for the argument Y1 (Step S201).
  • the first number placement unit 210 makes an array status of the array V10 be in an array status having all elements with 0, as shown in the array V11 in Fig. 8 (Step S202).
  • the first number placement unit 210 sets 1 to the (R+1) th from left in the elements being 0 in the array V10, i.e. the fifth element, V10[5], and be in the array status shown in the array V12 in Fig. 8 (Step S206).
  • the quotient S is 100 and the remainder S is 5.
  • the first number placement unit 210 sets 1 to the sixth element from left among the elements being 0 in the array V10.
  • An array status of the array V10 before this setup is the array status shown in the array ⁇ /12 in Fig. 8 .
  • the element of 0 in the array V12 is an element other than V12[5]. Because the sixth element in the elements being 0 in the array V12 is V12[7], 0 of V12[7] is made to be 1 (Step S206). Because of this, it becomes the array V13 shown in Fig. 8 .
  • n1 3 in this example.
  • Fig. 9 is a flow chart to show a process executed by the second number placement unit 220.
  • Fig. 10 shows an array status at each phase of the array V20 in the second number placement unit 220.
  • the second number placement unit 220 substitutes the value of the argument Y1 (integer X1) output from the first number placement unit 210 for the argument Y2 (Step S301).
  • the second number placement unit 220 substitutes the array V10 output from the first number placement unit 210 for the array V20 (Step S302).
  • the second number placement unit 220 sets the count value c1 to 1 (Step S303).
  • the second number placement unit 220 sets the count value c2 to (n-n1) (Step S304).
  • the second number placement unit 220 produces the quotient S and the remainder R of the argument Y2 (dividend) divided by the count value c2 (divisor) (Step S305).
  • the second number placement unit 220 sets -1 to the (R+1) th element from left among the element being 0 in the array V20 (Step S306).
  • the second number placement unit 220 substitutes the quotient S for the argument Y2 (Step 5307).
  • Step S308 the array V20 is output (Step S310) because the number of the element being -1 in the array V20 has reached to n2 piece(s), and then the process is terminated.
  • the second number placement unit 220 substitutes 150 for the argument Y2 (Step S301)
  • the second number placement unit 220 substitutes the array V10, having 3 piece(s) of 1 and other 5 piece(s) of 0, output from the first number placement unit 210 for the array V20.
  • the array V21 in Fig. 10 is the array input as a substitute (Step S302).
  • the second number placement unit 220 makes the first element, i.e. V20[1] , from left among the elements being 0 in the array V20 be -1 (Step S306).
  • the array V22 in Fig. 10 shows this array status.
  • the second number placement unit 220 sets -1 to the (R+ 1)th element from left among the elements being 0 in the array V20, i.e. the third element.
  • the array status of the array V20 before the setup is the array V22 shown in Fig. 10 , and the element of 0 is V22[3], V22[4], V22[6], V22[8]. Because the third element from left in the elements being 0 in the array V22 is V22[6], 0 of V22[6] is set to be -1 (Step S306).
  • the array status after this setup is the array V23 shown in Fig. 10 .
  • the second number placement unit 220 outputs the array V20 (Step S310). This array 20 output is in the array status shown in the array V23 in Fig. 10 .
  • the array output unit 200 outputs the n-dimensional array of having n1 piece(s) of 1, n2 piece(s) of -1 and (n-n1-n2) piece(s) of 0 from the integer X being the hash function value H (m).
  • the array output unit 200 mentioned above evenly outputs the array L (n, n1, n2) based on the integer X that satisfies 0 ⁇ X ⁇ (((n ! )/(n-n1-n2)!-1).
  • the following explanation is limited to the integer X that satisfies 0 ⁇ X ⁇ (((n!)/(n-n1-n2)!-1).
  • the first number placement unit 210 sets 1 to the element of the array V10 at the location based on the integer X. The following focuses on the process in detail, which sets this element to 1. Also, in the same way as the first embodiment, in the structure of the first number placement unit 210, the remainder of Step 5205 in the count value c2 is R_c2. The overall explanation flow is as follows.
  • Step S206 the R_n+1 th element in the element being 0 in the array V10 is set to 1.
  • the count value c2 is n
  • all of elements in V10 are 0 before the R_n+1 th element is set to 1. Therefore, it means that the R_n+1 element is simply set to 1.
  • Step S206 the R_(n-1)+1 th element in the elements being 0 in the array V10 is set to 1. Because the element being 0 in the array V10 is treated as a subject to be set to 1, note that the R_n th element set at the time the count value c2 is n is not treated as its subject.
  • the R_(n-1)+1 th element among the elements being 0 in the array V10 is R_(n-1) ⁇ R_n, it is simply the R_(n-1)+1 th element in the array V10. In a case of R_(n-1)>R_n, it is the R_(n-1)+2 th element in the array V10.
  • the element set to 1 when the count value c2 is i is not regarded as a subject to be set to 1 in the step the count value c2 is i+1 and after. Therefore, the element set once is not set again.
  • the array V10 has n1 piece(s) of 1 and other (n-n1) piece(s) of 0.
  • the above discussion on the first number placement unit 210 can be applied as well to the second number placement unit 220.
  • the array V20 has n1 piece(s) of 1, n2 piece(s) of -1, and other (n-n1-n2) piece(s) of 0.
  • the integer X is an integer that satisfies 0 ⁇ X ⁇ ((n!)/(n-n1-n2)!-1).
  • R of Step S205 in the first number placement unit is supposed to be R_i
  • R of Step S305 that executes the same process for the second number placement unit is also R_i.
  • the count value c2 of the first number placement unit 210 here is in a range from n to n-n1+1.
  • the count value c2 of the second number placement unit 220 is in a range from n-n1 to n-n1-n2+1.
  • the count value c2 is not overlapped between the first number placement unit and the second number placement unit.
  • the integer X has a 1 to 1 relationship with the series R_(n-n1-n2+1), ..., R_n. ⁇ Series and integer placement
  • the counter c2 is i by R_i(n-n1-n2+1 ⁇ i ⁇ n)
  • 1 is set for a case the R'_i+l th element of the array V20 is n-n1+1 ⁇ i ⁇ n
  • -1 is set for a case the R'_i+l th element of the array V20 is n-n1-n2+1 ⁇ i ⁇ n - n1.
  • the value of the counter c2 when a sequence, i.e.
  • the array belongs to L(n, n1, n2) has n ! /(n1) ! x(n2) ! ⁇ (n-n1
  • the encryption device of the present embodiment includes an array output unit 300 that has different structure from the array output unit 100. Since other components are identical, their explanation, is omitted.
  • the array output unit 300 in the present invention is explained with reference to diagrams.
  • Fig. 11 is a block diagram to show structure of the array output unit 300 in the present embodiment.
  • This array output unit 300 inputs the integer X and outputs the array V40 that belongs to L (n, n1, n2). n, n1 and n2 here are preset and provided to this array output unit 300.
  • the array output unit 300 which consists of a first number placement unit 310 and a second number placement unit 320, executes the process through software of a microcomputer and hardware such as an electric circuit in the same way as the array output unit 100.
  • the first number placement unit 310 inputs the integer X and outputs the n-dimensional array V30, which has n1 piece(s) of 1, and other elements of 0, and the integer X2 resulted by a specific calculation on the integer X.
  • the first number placement unit 310 tentatively decides the array element having 0 in all of the array elements, and changes the array elements of 0 to 1 based on the integer X.
  • the second number placement unit 320 inputs the array V30 and the integer X2 output from the first number placement unit 310, and outputs the n-dimensional array V40 having n1 piece(s) of 1, n2 piece(s) of -1 and other n (n-n1-n2) piece(s) of 0.
  • the second number placement unit 320 here changes the array element being 0 in the array output by the first number placement unit 310 to -1.
  • Fig. 12 is a flow chart to show the process of the first number placement unit 310.
  • the first number placement unit 310 is executed in the following steps.
  • the i th element (from left) in the array V30 is supposed to be V30[i].
  • the counter c1' is the count value c1 and the counter c2' is the count value c2.
  • the first number placement unit 310 substitutes the integer X for the argument Z1, and makes the array V30 be the n-dimensional array having all elements with 0 (Step S401).
  • the initial array is decided here.
  • the first number placement unit 310 sets the count value c1 of the counter c1' to n1, and the count value c2 of the counter c2' to 1 (Step S402).
  • the first number placement unit 310 validates if the argument Z1 ⁇ C (n - c2, c1) (Step S403).
  • Z1-C (n-c2, c1) is substituted for the argument Z1
  • the count value c1 of the counter c1' is decremented (c1 ⁇ c1-1)
  • the (n-c2+1) th element in the array V30 is set to be 1 (V30[n-c2+1] ⁇ 1) (Step S404).
  • the first number placement unit 310 increments the count value c2 of the counter c2' (Step S406).
  • the first number placement unit 310 validates the argument Z1 is not ⁇ C (n-c2,c1) (No in Step S403), the (n -c2+1) th element of the array V30 is set to 0 (V30[n-c2+1] ⁇ 0) (Step S405). Then, the first number placement unit 310 increments the count value c2 of the counter c2' (Step S406).
  • the (n-c2+1) th element in the array V30 is set to 0 or 1.
  • Step S406 the first number placement unit 310 validates the count value c2 > n (Step S407).
  • the first number placement unit 310 validates the count value c2 is not > n (No in Step S407), it executes a validation process once again to validate the argument Z1 ⁇ C (n-c2, c1) (Step S403), and it repeats from the validation process (Step S403) to the process to validate the count value c2>n (Step S407) until the count value c2 becomes >n.
  • this first number placement unit 310 Actions of this first number placement unit 310 are explained with a specific example.
  • Fig. 14 (a) shows an array status of each phase in the array V30.
  • the first number placement unit 310 substitutes 50 for the argument Z1 (Step S401).
  • the first number placement unit 310 makes the count value c1 of the counter c1' be 4, and the count value c2 of the counter c2' be 1 (Step S402).
  • the array status of the array V30 at this point is the array V31 shown in Fig. 14 .
  • the first number placement unit 310 increments the count value c2 to 2 (Step S406).
  • the first number placement unit 310 does not output the array V30 and validates the size relationship of the argument Z1 and C (n-c2, c1) once again (Step S403).
  • the array status of the array V30 at this point is the array V32 indicated in Fig. 14 .
  • Fig. 13 is a flow chart to show the process of the second number placement unit 320.
  • the second number placement unit 320 is executed by the following steps.
  • the value of the counter c1' is the count value c1 and the value of the counter c2' is the count value c2.
  • the second number placement unit 320 substitutes the integer X2 output from the first number placement unit 310 for the argument Z2, substitutes the array V30 for the array V40, and makes the array W be the (n-n1)th array having all elements with 0 (Step S501).
  • the second number placement unit 320 makes the count value c1 of the counter c1' be n2 and makes the count value c2 of the counter c2' be 1 (Step S502).
  • the second number placement unit 320 validates if the argument Z2 ⁇ C (n-n1-c2, c1) (Step S503).
  • Z2-C (n-n1-c2, c1) is substituted for the argument Z2, the count value c1 is decremented (c1 ⁇ c1-1), the (n-n1-c2+1) th element in the array W is set to -1 (Step S504).
  • the second number placement unit 320 increments the count value c2 (Step S506).
  • the second number placement unit 320 validates Z2 is not ⁇ C (n-n1-c2, c1) (No in Step 503), it makes the (n -n1-c2+1) th element in the array W be 0 (Step S505). Then, the second number placement unit 320 increments the count value c2 (Step S506).
  • the (n-n1-c2+1) th element in the array W is set to 0 or -1.
  • Step S506 when the second number placement unit 320 increments the count value c2 (Step S506), it validates if the count value c2 is c2>n--n1 (Step S507).
  • the second number placement unit 320 validates c2 is not >n-n1 (No in Step S507), it executes the validation once again to validate if the argument Z2 is ⁇ C (n-n1-c2, c1) (Step S503), and repeats from the above process (Step S503) to the process of c2>n-n1 (Step S507) until c2 becomes >n-n1.
  • the second number placement unit 320 sets the (n-n1-c2 + 1) th element in the array W to 0 or -1 according to the size relationship between argument Z2 and C (n-n1-c2, c1) for each case the count value c2 is from 1 to (n-n1) .
  • Step S507 when the second number placement unit 320 validates if c2 is >n-n1 (Yes in Step S507), it moves to the process to make the count value c1 be 1 and the count value c2 be 1 (Step S508).
  • the second number placement unit 320 validates if the count value c2 is c2 > n - n1 (Step S511).
  • the count value c2 is not validated to be c2>n-n1 (No in Step S512)
  • it moves to the process to increment the count value c1 (c1 ⁇ c1+1) (Step S512).
  • the second number placement unit 320 outputs the array V40 externally and terminates the process.
  • Step S508 to the process to output the array V40 (until Step S512), the elements of W [c2] are sequentially substituted for the 0 element of V[c1].
  • Fig. 14 (b) shows the array status of each phase of the array V40
  • Fig. 14 (c) shows the array status at each phase of the array W.
  • the second number placement unit 320 sets the count value c1 of the counter c1' to 2, and sets the counter c2 to 1 (Step S502).
  • each element of the array W is set to be 0 or -1.
  • the array W2 in Fig. 14 (c) is one example to show the array status of all elements being set.
  • Step S507 when all of the elements in the array W are set (Yes in Step S507), the second number placement unit 320 makes the count value c1 of the counter c1' be 1 and the count value c2 of the counter c2' be 1 (Step S508). In a subsequent process, each element in the array W is substituted for the 0 element in the array V41.
  • the array status of the array V40 is the array V41 and the array status of the array W is the array W2.
  • the c2 th element in the array W i.e. 0. being W[1] is substituted for V41[1].
  • the array V42 in Fig. 14 (b) is in such a status.
  • the second number placement unit 320 substitutes all elements in the array W2 for the 0 element in the array V41 (the processes from Step S509 to Step S512), and outputs the array 41.
  • the array V43 in Fig. 14 (b) is the array status when the element of the array 2 is substituted for the 0 element in the array V41.
  • the second number placement unit 320 inputs the array V30, which is output from the first number placement unit 310, and the integer X2, and outputs the n-dimensional array V40 having n1 piece(s) of 1, n2 piece(s) of -1 and other elements of 0.
  • the present embodiment puts the Schalkvijk algorithm into practice.
  • the Schalkvijk algorithm is used when the placement location is decided for the element of 1 in the array V30 of the first number placement unit 310, and when the placement location is decided for the element of -1 in the array V40 of the second number placement unit 320.
  • the placement location is decided for 1 and -1 by using the Schalkvijk algorithm. If the object is limited to the types of the output for the input or less, it is known that the Schalkvijk algorithm can convert the object in the 1 to 1 relationship. It is described in detail in the Literature 4 mentioned. Therefore, the array output unit 300 in the third embodiment outputs the array V40 that is in the 1 to 1 relationship with the integer X. Consequently, the array output unit 300 is supposed to evenly output the array based on the input integer X.
  • the value of the integer X for one output value there are (n1) ! ⁇ (n2) ! ⁇ (n-n1-n2) ! types as its input value.
  • the output length of the hash function may just be 163 bits or more, which is 92 bits less than the one required by the second embodiment.
  • C (n - n1, c2) and C (n - n1 - n2, c2) need to be calculated in the first number placement unit and the second number placement unit of the array output device 300 in the third embodiment. Since it includes a factorial calculation, the calculation volume becomes bigger. On the other hand, in the first and second embodiment, their calculation volume stays small. Because they do not include the factorial calculation.
  • the array output unit 300 can evenly output the n-dimensional array based on the integer X. Based on this, FOSRT is applied to the NTRU encryption and the array output unit 300 is used instead of the array output unit 100 of the encryption device 10 in Fig. 2 (a) . Therefore, it makes it possible to retain the well-balanced distribution of the hash function by making the array output unit 300 evenly output the n-dimensional array based on the hash function value H (m) output from the hash function unit 40. Consequently, the security level of the encryption text generated by the encryption device 10 can be enhanced.
  • the array output unit 300 sets the array V40 only from the integer X, it does not require to use a memory table and only requires a little memory.
  • the encrypted text can be decrypted by using the array output unit 300 instead of the array output unit 105 in the decryption device 15 in Fig. 2 (b) .
  • the encryption device related to the fourth embodiment in the present invention is explained.
  • the encryption device in the present embodiment is composed of the array output unit 400 that has different structure from the array output unit 100 compared with the encryption device 10 in Fig. 2 . Because other structure is in common, its explanation is omitted.
  • the array output unit 400 in the present embodiment is explained with diagrams.
  • Fig. 15 is a block diagram to show the structure of the array output unit 400 in the present embodiment.
  • This array output unit 400 inputs the integer X and outputs the array V50 that belongs to L (n, n1, n2).
  • L (n, n1, n2) here is the entire n-dimensional array having n1 piece(s) of 1, n2 piece(s) of -1 and other (n-n1-n2) piece(s) of 0, and n, n1, n2 are preset in the array output unit 400.
  • This array output unit 400 tentatively decides the array element of which array elements are all 0, and changes the array elements being 0 to 1 and -1 based on the integer X.
  • the array output unit 400 executes the process through the software of the microcomputer or hardware such as an electric circuit in the same way as the array output unit 100.
  • the array output unit 400 makes the array V50 be in the array status having 0 in all elements.
  • the array output unit 400 divides the integer X by every 8 bits.
  • the integer X is indicated by a set of bit information expressed in 2 values of 0 and 1. As shown in Fig. 17 , the integer X is divided into (n1+ n2) piece(s) by every 8 bits.
  • Fig. 17 is a diagram to show the status that the integer X is divided into each split information [0], split information D[1] ⁇ split information [n1 + n2 - 1].
  • Each split information D[0], split information D[1] ⁇ split information D[n1+n2-1] shows an integer of 8 bits information.
  • the array output unit 400 does not set 1 if the pi th element in the array V50 is not 0, regards pi ⁇ (pi+1) mod n, and sets 1 to the element of 0, located on the right side of the pi th element.
  • the array output unit 400 executes the process to set the element in the array V50 to 1.
  • the array output unit 400 executes the process to set then -1 element based on the split information D[i] until the number of the -1 element in the array V50 has become n2 piece(s).
  • Fig. 16 is a flow chart to show the process executed by the array output unit 400.
  • the array output unit 400 is executed through the following steps.
  • the value of the counter c1' is to be the count value c1
  • the value of the counter c2' is to be the count value c2.
  • the array output unit 400 substitutes the integer X for the argument Y10 (Step S601).
  • the array output unit 400 makes the array V50 be in the array status of having all elements 0 (Step S602).
  • the array output unit 400 delimits the integer X by every 8 bits, and divides it into the split information D[0], split information D[1] ⁇ split information D[n1+n2-1] (Step S603).
  • the array output unit 400 sets the count value c1 of the counter c1' to 0 (Step S604),
  • the array output unit 400 sets the count value c2 of the counter c2' to D[0]+1 (Step S605). Consequently, the count value c2 becomes the value of the integer Q+1 shown by the 8-bit split information D[0].
  • the array output unit 400 validates if the c2 th element V50[c2] in the array V50 is 0 (Step S606). If it is not 0 (No in Step S606), the count value c2 is set to be c2 ⁇ (c2+1)mod n (Step S607), and the array output unit 400 validates once again if the element V50[c2] is 0 or not (Step S606). On the other hand, when the array output unit 400 validates that V50[c2] is 0 (Yes in Step S606), the element V50[c2] is set to be 1 (Step 5608).
  • Step S606 the validation process if the element V50[c2] is 0 (Step S606), the process for c2-(c2+1)mod n (Step S607) and the process for V50[c2] ⁇ 1, if the element of V50[c2] is not 0, the 0 element on the right side of V50[c2] is sequentially searched around and set to 1.
  • the array output unit 400 validates if the count value c1 of the counter c1' is c1 ⁇ n1-1 (Step S609).
  • Step S609 When the array output unit 400 validates that the count value c1 of the counter c1' is c1 ⁇ n1-1 (Yes in Step S609), it increments the count value c1 (c1 ⁇ c1+1.) as well as making the count value c2 be c2 ⁇ (c2+ D[c1])mod n (Step S610), and validates once again if V50[c2] is 0 (Step 5606).
  • the process is executed to set the element to be 1 until the number of the 1 element in the array V50 becomes n1 piece(s).
  • the array output unit 400 validates that the count value c1 is not c1 ⁇ n1-1 (No in Step S609), the number of the 1 element in the array V50 is assumed to be n1 piece(s). Therefore, in order to move to the process to set the element to -1 in the array V50, it makes the count value c1 be 0 (Step S611) and makes the count value c2 be c2 ⁇ (c2+D[n1])mod n (Step S612).
  • the array output unit 400 validates if the element V50[c2] in the array V50 is 0 (Step S614). If it is not 0 (No in Step S614), it makes the count value c2 be c2 ⁇ (c2+1)mod n (Step S613) and validates once again if the element V50[c2] is 0 (Step S614). On the other hand, when the array output unit 400 validates that V50[c2] is 0 (Yes in Step S614), it sets the element V50[c2] to -1 (Step S615).
  • Step S614 the process to validate if the element V50[c2] is 0 (Step S614), the process for c2 ⁇ (c2+1)mod n (Step S613), and the process for V50[c2] ⁇ -1 (Step S615), if the V50[c2] element is not 0, the element on the right side of V50[c2] being 0 is sequentially searched round and set to -1.
  • the array output unit 400 validates if the count value c1 of the counter c1' is c1 ⁇ n2-1 (Step S616).
  • the array output unit 400 validates that it is c1 ⁇ n2-1 (Yes in Step 616), it increments the count value c1 (c1 ⁇ c1+1) as well as making the count value c2 be c2 ⁇ (c2 + D[c1 + n1])mod n (Step S617), and validates once again if V50[c2] is 0 (Step S614).
  • the array output unit 400 validates that it is not c1 ⁇ n2-1 (No in Step S616), it outputs the array V50 as the number of the -1 element in the array V50 becomes n2 piece(s).
  • Fig. 18 shows the array status of the array V50 at each phase in the array output unit 400.
  • Step S608 the 140 th element V50[140] from left in the array V50 is set to 1 (Step S608). Since this array status is according to the array V51 shown in Fig. 18 , in which 140 th element is 1 and other elements are 0.
  • the count value c2 is set to be c2 ⁇ (c2+ D[1])mod n (Step S610)in order to execute the process to set the array V50 element to 1.
  • This array status is as shown in the array V52 of Fig. 18 , indicating the 19 th element and 140 th element from left are 1 and other elements are 0.
  • the -1 element of the array V50 is set sequentially.
  • the array output unit 400 evenly decides the first 1 element in the array V50 based on the split information D[0] found by the integer X. Then, based on the split information D[i] found by the integer X from the first 1 element decided, the location to set the next element is decided in order, the array V50 is evenly distributed from the integer X to set 1 or -1.
  • the integer X to be input requires (n1+n2) piece(s) of 8 bit split information in order for the array output unit 400 to decide n1 piece(s) of 1 and n2 piece(s) of -1 in the array V50. Because of that, a big one may be selected for the integer X at a design phase that allows setting each element of the array V50 sufficiently.
  • the array output unit 400 can evenly output the n-dimensional array based on the integer X. Because of that, in the case FOSRT is applied to the NTRU encryption, this array output unit 400 is used in stead of the array output unit 100 of the encryption device 10 in Fig. 2 (a) , and the array output unit 400 evenly outputs the n-dimensional array based on the hash function value H (m) output from the hash function unit 40. Therefore, it makes it possible to retain the well- balanced distribution of the hash function, and enhance the security level of the encryption text generated by the encryption device 10.
  • the array output unit 400 sets the array V50 only from the integer X, it does not require using a memory table and requires only a little memory.
  • the encrypted text may be decrypted.
  • the array output unit 100 is used for the encryption device 10 to output the array based on the hash function value, it is not limited to this.
  • the encryption device 10 explained in each embodiment may be installed and used in a portable telephone device 500 as shown in Fig. 19 , or used for an electric settlement or an electric commerce on the Internet.
  • each array output unit outputs the array having n1 piece(s) of 1, n2 piece(s) of -1 and other elements of 0, but 1 and -1 may be the other number. Also, in each embodiment 1, 2, 3 and 4, though each array output unit outputs 3 values of 1, -1 and 0, it may output 2 values, 4 values or more.
  • the numerical array output device that outputs various n-dimensional arrays consisting of n K-value integers, each of which is one of K kinds of integers, depending on an input integer, comprising: an initial array decision unit operable to tentatively decide an initial array; and a changing unit operable to change an array element of the initial array decided by the initial array decision unit into the n-dimensional arrays based on the input integer, it is possible to acquire the n-dimensional array based on the integer such as an output value of the hash function without using so much memory. Therefore, the n-dimensional array, which retains a balance based on the integer values evenly distributed by the hash function, may be acquired.
  • the changing unit includes a division unit operable to divide the input integer by a specific integer and produce a remainder, and a replacement unit operable to replace the array element of the initial array based on the remainder produced by the division unit, the well-balanced n-dimensional array can be acquired based on the integer values evenly distributed by the hash functions, etc., without a use of so much memory.
  • the changing unit includes a division unit operable to divide the input integer by a specific integer and produces a remainder, and an integer placement unit operable to replace the array element, which is located at a position based on the remainder produced by the division unit among the array element of the integer P3 in the initial array, with the integer P1, it is possible to acquire the n-dimensional array that further retains the balance based on the integer values evenly distributed by the hash function without so much memory.
  • the encryption device of the present invention that encrypts a message comprising: a function value output unit operable to calculate the message with a one-way converting function and output its result as a function value; a numerical array output unit including an initial array decision unit that tentatively decides an initial array and a changing unit that changes an element of the initial array decided by the initial array decision unit into an n-dimension array based on the function value output by the function value output unit, and operable to output various n-dimensional arrays consisting of n K-value integers, each of which is one of K kinds of integers, depending on the function value; and an encryption text generation unit operable to generate an encryption text based on the array output by the numerical array output unit, it is possible to acquire the well-balanced n-dimensional array based on the integers evenly distributed by the one-way function such as the hash function value of a message, so that a security level of the encryption text may be enhanced.

Landscapes

  • Engineering & Computer Science (AREA)
  • Pure & Applied Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
EP20090174508 2001-10-19 2002-10-15 Dispositif de sortie réseau numérique, procédé de sortie réseau numérique, dispositif de cryptage et dispositif de décryptage Withdrawn EP2148463A3 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2001321651 2001-10-19
EP02022986A EP1304829B1 (fr) 2001-10-19 2002-10-15 Dispositif et procédé de sortie d'un ensemble numérique, dispositif de chiffrage et dispositif de déchiffrage
EP20070012355 EP1841123A1 (fr) 2001-10-19 2002-10-15 Dispositif et procédé de sortie d'un ensemble numérique, dispositif de chiffrage et dispositif de déchiffrage

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
EP20070012355 Division EP1841123A1 (fr) 2001-10-19 2002-10-15 Dispositif et procédé de sortie d'un ensemble numérique, dispositif de chiffrage et dispositif de déchiffrage
EP02022986A Division EP1304829B1 (fr) 2001-10-19 2002-10-15 Dispositif et procédé de sortie d'un ensemble numérique, dispositif de chiffrage et dispositif de déchiffrage

Publications (2)

Publication Number Publication Date
EP2148463A2 true EP2148463A2 (fr) 2010-01-27
EP2148463A3 EP2148463A3 (fr) 2015-04-22

Family

ID=19138836

Family Applications (3)

Application Number Title Priority Date Filing Date
EP20090174508 Withdrawn EP2148463A3 (fr) 2001-10-19 2002-10-15 Dispositif de sortie réseau numérique, procédé de sortie réseau numérique, dispositif de cryptage et dispositif de décryptage
EP02022986A Expired - Lifetime EP1304829B1 (fr) 2001-10-19 2002-10-15 Dispositif et procédé de sortie d'un ensemble numérique, dispositif de chiffrage et dispositif de déchiffrage
EP20070012355 Withdrawn EP1841123A1 (fr) 2001-10-19 2002-10-15 Dispositif et procédé de sortie d'un ensemble numérique, dispositif de chiffrage et dispositif de déchiffrage

Family Applications After (2)

Application Number Title Priority Date Filing Date
EP02022986A Expired - Lifetime EP1304829B1 (fr) 2001-10-19 2002-10-15 Dispositif et procédé de sortie d'un ensemble numérique, dispositif de chiffrage et dispositif de déchiffrage
EP20070012355 Withdrawn EP1841123A1 (fr) 2001-10-19 2002-10-15 Dispositif et procédé de sortie d'un ensemble numérique, dispositif de chiffrage et dispositif de déchiffrage

Country Status (5)

Country Link
US (1) US7233662B2 (fr)
EP (3) EP2148463A3 (fr)
DE (1) DE60223888T2 (fr)
ES (1) ES2296862T3 (fr)
NO (1) NO326812B1 (fr)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7190791B2 (en) * 2002-11-20 2007-03-13 Stephen Laurence Boren Method of encryption using multi-key process to create a variable-length key
CN1778066B (zh) * 2003-04-24 2011-10-12 松下电器产业株式会社 参数生成设备,加密系统,解密系统,加密设备,解密设备,加密方法,解密方法,及其程序
FR2861235B1 (fr) * 2003-10-17 2005-12-16 Sagem Procede de protection d'un algorithme cryptographique
WO2005098796A1 (fr) 2004-03-31 2005-10-20 Nec Corporation Méthode d’application de bourrage garantissant la sûreté d’une méthode de cryptage
US7835978B2 (en) * 2005-12-23 2010-11-16 International Business Machines Corporation Method and system for linking an anonymous electronic trade order to an identity of a trader
US7668852B2 (en) * 2006-10-31 2010-02-23 Hewlett-Packard Development Company, L.P. Method for creating sketches of sets to permit comparison
SG11201908666VA (en) * 2017-03-21 2019-10-30 Tora Holdings Inc Secure order matching by distributing data and processing across multiple segregated computation nodes
US10454681B1 (en) 2017-11-17 2019-10-22 ISARA Corporation Multi-use key encapsulation processes
US10031795B1 (en) * 2017-12-22 2018-07-24 ISARA Corporation Using conversion schemes in public key cryptosystems
US10061636B1 (en) * 2017-12-22 2018-08-28 ISARA Corporation Conversion schemes for public key cryptosystems

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5142579A (en) * 1991-01-29 1992-08-25 Anderson Walter M Public key cryptographic system and method
AU716797B2 (en) * 1996-08-19 2000-03-09 Ntru Cryptosystems, Inc. Public key cryptosystem method and apparatus
KR20010002708A (ko) * 1999-06-17 2001-01-15 김동균 이진 정보 보호 전송방법
GB0013399D0 (en) * 2000-06-01 2000-07-26 Tao Group Ltd Decryption of cipher polynomials

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JEFFREY HOFFSTEIN; JILL PIPHER; JOSEPH H. SILVERMAN: "Lecture Notes in Computer Science", vol. 1423, 1998, SPRINGER-VERLAG, article "NTRU: A ring based public key cryptosystem", pages: 267 - 288
SCHALKVIJK: "An Algorithm for Source Coding", IT72-18, 1972

Also Published As

Publication number Publication date
DE60223888D1 (de) 2008-01-17
EP1304829B1 (fr) 2007-12-05
DE60223888T2 (de) 2008-11-13
US20030081770A1 (en) 2003-05-01
EP1841123A1 (fr) 2007-10-03
US7233662B2 (en) 2007-06-19
NO20025013L (no) 2003-04-22
EP1304829A2 (fr) 2003-04-23
EP2148463A3 (fr) 2015-04-22
NO20025013D0 (no) 2002-10-18
NO326812B1 (no) 2009-02-23
ES2296862T3 (es) 2008-05-01
EP1304829A3 (fr) 2004-06-09

Similar Documents

Publication Publication Date Title
CN108718231B (zh) 一种全同态加密方法、装置和计算机可读存储介质
US20070189524A1 (en) Method and apparatus for facilitating efficient authenticated encryption
JP6007975B2 (ja) フォーマット保存暗号化装置、方法およびプログラム、復号化装置、方法およびプログラム
JP2008203548A (ja) 二次双曲線群を使用する鍵生成方法、復号方法、署名検証方法、鍵ストリーム生成方法および装置。
JP2002543478A (ja) 公開鍵を署名する方法とシステム
EP2460310A1 (fr) Procédé de cryptage à clé symétrique et système cryptographique employant le procédé
EP1304829B1 (fr) Dispositif et procédé de sortie d'un ensemble numérique, dispositif de chiffrage et dispositif de déchiffrage
KR20150003932A (ko) 의사 랜덤 시퀀스 생성 방법 및 데이터 스트림의 코딩 또는 디코딩 방법
JP3180836B2 (ja) 暗号通信装置
Kamal et al. NTRU Algorithm: Nth Degree truncated polynomial ring units
CN109923829B (zh) 对秘密值达成一致
US20040258240A1 (en) Cryptosystems
Gorbenko et al. Methods of building general parameters and keys for NTRU Prime Ukraine of 5 th–7 th levels of stability. Product form
Gorbenko et al. Calculation of general parameters for NTRU Prime Ukraine of 6-7 levels of stability
JP4208230B2 (ja) 配列出力装置、配列出力方法、暗号化装置、および復号化装置
EP0973293A2 (fr) Cryptographie à clé publique présentant une meilleure protection contre des attaques à texte chiffré sélectif
KR100513958B1 (ko) 메시지의 전자서명 및 암호화 방법
JP3055636B2 (ja) 暗号通信符号化装置および復号化装置
JP2001509914A (ja) ディジタル署名を生成する方法およびその署名を検証する方法
JP2002252610A (ja) 暗号装置および復号装置並びに公開鍵暗号方式および公開鍵復号方式
JP3473171B2 (ja) 逐次暗号方式
Huang et al. A JCA-based implementation framework for threshold cryptography
KR20030000720A (ko) 키와 평문 사이에 연산이 이루어지지 않는 대칭키 블록암호 알고리즘 설계방법
JP2002139995A (ja) 公開鍵生成装置、暗号化装置および復号装置
Chang et al. Novel Encryption Scheme Based on Continued Fraction and Permutation

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20091029

AC Divisional application: reference to earlier application

Ref document number: 1304829

Country of ref document: EP

Kind code of ref document: P

Ref document number: 1841123

Country of ref document: EP

Kind code of ref document: P

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): DE ES FI FR GB IT

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: PANASONIC INTELLECTUAL PROPERTY MANAGEMENT CO., LT

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): DE ES FI FR GB IT

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/30 20060101AFI20150317BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20150527